Skip to main content

Grafana OSS CVE-2026-28379

| EUVD-2026-30139 MEDIUM
Race Condition (CWE-362)
2026-05-13 GRAFANA GHSA-5699-ppr6-8h44
Denial Of Service Grafana Race Condition Grafana Oss
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:39 vuln.today
Patch available
May 13, 2026 - 21:02 EUVD

DescriptionCVE.org

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

AnalysisAI

Grafana Live's concurrent request handling exposes authenticated Viewer-role users as a denial-of-service vector: sending concurrent requests triggers a fatal map access error that crashes the entire Grafana server, requiring a manual restart to restore service. All Grafana OSS releases from 8.2.0 through 13.0.1 are affected across multiple maintained branches, making the exposure surface exceptionally broad. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Grafana Viewer credentials
Delivery
Authenticate to target Grafana instance
Exploit
Send concurrent requests to Grafana Live endpoints
Execution
Race condition corrupts shared map state
Persist
Fatal Go runtime panic terminates Grafana process
Impact
Dashboard and alerting service unavailable
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Grafana account at minimum Viewer privilege (CVSS PR:L confirmed); unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score reflects a network-reachable (AV:N), low-complexity (AC:L), low-privilege (PR:L) attack with no user interaction required and a high availability impact (A:H), but no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker authenticates to Grafana with any Viewer-level account - the lowest privilege tier - and sends a burst of concurrent HTTP or WebSocket requests targeting Grafana Live endpoints. The concurrent access races on an unprotected internal map, triggering a fatal Go runtime panic that terminates the Grafana process and renders the observability platform unavailable until an operator manually restarts it.
Remediation The primary fix is to upgrade to one of the vendor-released security patch builds, depending on the installed branch: 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, or 13.0.1+security-01, all documented at https://grafana.com/security/security-advisories/cve-2026-28379. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11769 MEDIUM
6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE 15 Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4 Fixed

Share

CVE-2026-28379 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy